I'm a total newbie to J2EE programming, and in fact to client/server programmin in general, so please be gentle :)

I'm trying to figure out an effective way to do authentication for my application. It uses only servlets and JSPs, since the whole EJB thing is a bit more than i need right now, but i wouldn't mind knowing how things work there, too.

At the moment, i'm storing password hashes in the database in a userlogin table, and just storing either a null userid in the HttpSession object that passes around the pages or a set userID if someone is logged in. Something tells me, though, that this is not the way i should be doing it.

I'm using JBoss to host this, if it makes a difference. Can someone point me at the right book/site that can teach me the right practices to use to solve this?

Thanks.

The best way for you would be to use MVC pattern where the job of the controller would be to do authentication. You can read documentation on Struts on how to do it. Also think of adapting Struts or any other MVC frameworks for your JSP application. It would be scalable in long run with less maintance. Struts default controller has the facility to override and provide your own way of authentication.

I'm trying to learn the J2EE thing from first-ish principles, which means i'm choosing not to use Struts as yet, until i understand things well enough to do without them. Then i'll add them in.

What other options are there?

I'm trying to learn the J2EE thing from first-ish principles, which means i'm choosing not to use Struts as yet, until i understand things well enough to do without them. Then i'll add them in.What other options are there?

I would suggest you to start with Servlets & JSPs with helper classes and Data Access Objects(Apply MVC pattern), then learn Struts, you will find how easy struts is to use for MVC pattern.

Sun is the best place to learn J2ee.

Tutorial: http://java.sun.com/j2ee/tutorial/1_3-fcs/
AudioCasts: http://java.sun.com/developer/onlineTraining/webcasts/

Thanks,
Senthil.

The thing is, i'm not looking for general application design answers, although those are great too, since there seem to be a lot of ways one can do design of J2EE apps. The MVC pattern is the one i'm looking at, but that's beside the point.

What i want to know is how i can handle authentication in such a way that i can add new users via a web interface and authenticate them for access to resources on the site. Do i use JAAS? And if so, how? Or do i write my own hack auth system and just do checks to the HttpSession that is passed throughout the session?

And how do i set cookies, and use them for 'remember me' logins?

Basically, I plan to pick up a book or two on the subject, but i'd like to know now which one i should look at, and/or what web resources are ideal for answering this particular kind of design questions.

Be sure i'll be reading that tutorial, by the way -- i'm not trying to suggest that it was a bad idea, just that i'm looking for very specific information at the moment.

Thanks again for all the help.

Have you investigated your application server's container managed security mechanisms? Within web.xml, you can define what URL patterns are protected, what login scheme to use, and who has permission to access the resource, but the 'implementation' of how the container managed security works is dependent on your particular app server. Based on the login, you can call HttpServletRequest's getRemoteUser() to get the 'uer login name' without really having to deal with sessions directly.